On Friday, February 10, 2017, Varun Singh <varun.si...@gslab.com> wrote:
> On Tue, Feb 7, 2017 at 3:48 AM, Amos Jeffries <squ...@treenet.co.nz > <javascript:;>> wrote: > > On 7/02/2017 2:46 a.m., Varun Singh wrote: > >> On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries wrote: > >> > >> Hi, > >> Please find my reply inline: > >> > >>> What documentation? it is wrong, or you are misunderstanding it. The > URL > >>> path?query is definitely *not* available without decrypting. > >>> > >> > >> Correct, I mis-read it. > >> > >> > >>> Because the only way to access more than hostname/IP and port is to > decrypt. > >> > >> Okay. In that, case I am okay with only being able to see hostname/IP > and port. > >> But whenever I search for setting up HTTPS with Squid, I always come > >> across SSL-bump. > >> Could you point me to a tutorial which perform just basic HTTPS setup? > > > > The Squid default config handles as much of HTTPS as can be handled > > without the SSL-Bump feature. > > > >> > >> What I have tried so far is, configuring Squid to listen to port 3129 > >> to expect HTTPS traffic. I did this by adding following line to > >> squid.conf: > >> > >> https_port 3129 > >> > >> Once this was done, I redirected all the traffic coming to port 443 to > >> port 3129 using iptables. This is because my clients connect to proxy > >> via VPN. > > > > Since you are intercepting port 443 that port is missing the 'intercept' > > flag. Also, interceptig port 443 requires SSL-Bump. > > > > > >> But this had no effect. After connecting clients to proxy, when I try > >> to access an HTTPS website, the clients get no response and nothing > >> shows in access.log file. The browser behaves as if it could not > >> connect to internet. > >> > >> Please note that this setup works perfectly for HTTP requests. Only > >> HTTPS requests give problems. > >> > > > > Port 80 (HTTP) and port 443 (HTTPS) have totally different transport > > protocols. The port 443 one is designed to break when being intercepted. > > > > > >> > >> FYI, by documentation I was referring to below link: > >> http://wiki.squid-cache.org/Features/HTTPS > >> > > > > > > Amos > > Thanks Amos. Sorry I couldn't reply early. > > So in this case, say I want to configure HTTPS proxy from a > web-browser directly and not through VPN. In that case there will be > no port forwarding involved and hence 443 shouldn't break. To achieve > this, what configurations will have to be set in squid.conf file? I am > assuming we will have to at least provide a port number by adding > 'https_port 3129'. Is there anything else I will have to do? > > Thanks for your help. > > > > -- > Regards, > Varun > I found this post on a StackExchange forum which is exactly what I want: http://serverfault.com/questions/798481/squid-configuration-for-https The answer points to installing a CA on client. Does this mean even if I don't want Squid-in-the-middle approach, my clients would still have to install a certificate? -- Regards, Varun Singh Sr. Software Engineer | m: +91 20 4671 2290 | G <https://in.linkedin.com/in/varun-singh-12b29026>reat Software Laboratory <http://www.gslab.com/> ------------------------------------------------------------------------------ <https://twitter.com/_gslab> <https://www.facebook.com/LifeAtGSLab/> <https://www.linkedin.com/company/gs-lab> <http://www.gslab.com/blogs>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
